Tornado Cash Review: Bringing Privacy to Ethereum
There’s a misconception out there concerning cryptocurrencies. For some reason many people have come to believe that blockchain transactions are private and anonymous, but for most blockchains nothing could be further from the truth. Rather than being anonymous, most (including the two largest – Bitcoin and Ethereum) are simply pseudonymous. They are completely public and visible, and while an individual address isn’t linked to a name publicly, it is often easy enough to determine the owner of a particular wallet address.
Because of this almost anyone’s spending habits can be tracked using their public wallet address. All that anyone needs to see the full trail is the user details of a single transaction. While that might not give them the identity of the person who owns the address, it still leaves a lot to be desired as far as privacy-oriented crypto users are concerned.
There are any number of blockchain projects and tools that have attempted to solve the problem of pseudonymity versus anonymity, however none have been as successful as the transaction mixer.
If you haven’t been exposed to the transaction mixer previously, it basically scrambles the funds of multiple users together, as well as their transactions, to “mix” the funds and make them anonymous. By mixing like this the funds become more difficult to track, and if the proper precautions are taken they can even be impossible to track.
However when most mixers were actually put into use it’s apparent that the transactions are still traceable to the public ledger, making these solutions not a fully successful solution to anonymity.
Tornado Cash is another solution aiming to solve the issue of privacy and anonymity on transparent public blockchains. While similar, it is not precisely a coin mixer in the same manner as solutions like Samourai because it works in a slightly different manner. In the end however the goal is the same – to keep your financial transactions private and anonymous.
About Tornado Cash
Tornado Cash is a privacy focused, decentralized non-custodial tool that is built on the Ethereum blockchain. It was created based off the open source research done by the Zcash team, and the tool allows users to make their Ethereum or other ERC-20 tokens privatized by sending them through its smart contract service.
After sending a deposit to the Tornado Cash smart contract is can be withdrawn to a new Ethereum address. This process ensures that the withdrawn funds can’t be linked to the deposit source, thus ensuring the privacy and anonymity of the assets.
Unlike some other tools meant to create privacy the Tornado Cash protocol is fully owned and governed by its community. This was accomplished in May 2020, when the Tornado Cash development team relinquished control over the protocol’s multi-signature wallet in a Trusted Setup Ceremony. Following hat turnover the developers and even the founders have no control over Tornado Cash and it can be considered to be fully decentralized.
There is a governance token associated with the project. The TORN token is an ERC-20 token with a fixed supply of 10 million tokens. Holding the TORN token gives a user the ability to submit proposals and to vote on protocol changes. In addition, the users of Tornado Cash accrue Anonymity Points as they interact with the protocol. These are deposited to a shielded account, and once enough are accumulated they can be converted to TORN tokens in a unique process known as Anonymity Mining.
Other Privacy Protocol Alternatives
Tornado Cash isn’t the first attempt at privatizing Ethereum transactions. There have been a number of methods attempted that include custodial mixing services, centralized exchange wallets, and obscuring value flows. The problem is that all of these solutions have introduced some degree of surveillance risk, ultimately making them unsuitable as a privacy solution. And none ever reached the level of privacy and anonymity that’s provided by coins like Monero and Zcash.
As one of the first privacy coins created, Zcash is the basis for many new projects, including Tornado Cash. Zcash uses a number of cryptography solutions, including Zero-Knowledge Proofs. In Monero a multiple-key system that uses “view” and “spend” keys with public and private versions introduces privacy. Monero also includes three segments of cryptography to hide its transactional components from public view.
Tornado Cash was built using the open source research of the Zcash team. They applied it to Ethereum so that users are now able to anonymously send Ethereum, not just Zcash.
Privacy Achieved by Tornado Cash
Privacy is achieved by Tornado Cash through the breaking of the on-chain link between the token recipient and their address. The Tornado Cash smart contract takes the ETH deposited to it, combines the deposits and transactions, and then scatters the tokens to different addresses when withdrawn. This means that any withdrawals from the smart contract cannot be linked to the depositing address, which creates privacy for the tokens in the new address.
In essence Tornado Cash is acting as a proxy to create anonymity in Ethereum transactions. They use Zero-Knowledge Succinct Non-Interactive Argument of Knowledge Proofs (zk-SNARKs) to do so. These proofs are something also used by Zcash.
In zk-SNARKS cryptography proofs there are a Prover and a Verifier. The Prover is tasked with proving some hypothesis, while the Verifier is there to determine the truth of the Prover’s claim. The basis of zero-knowledge proofs is that possession of some information can be proven without revealing what the information actually is.
One real-world example is when you call a financial institution and they ask for the final four numbers of your social security number. They use that information to prove that it is you without the need to reveal your full social security number and put you at risk of identity theft.
The Tornado Cash Secret
When a deposit is made to the Tornado Cash smart contract it generates a “secret” with an associated hash. That hash is called a “commitment” and it is sent along with the deposit to the Tornado smart contract.
The smart contract accepts the deposit and associated commitment and adds it to the list of deposits it is holding. In order to make a withdrawal of funds from the smart contract the user must provide the secret that corresponds to the commitment of some unspent funds in the deposit list.
This is where zk-SNARKs come in. Using this technology Tornado Cash is able to perform the task without exposing which specific deposit corresponds to the secret. The smart contract is then able to release the proper amount of funds to the withdrawal address in such a way that a snooper would still be unable to determine the origin of the funds being released from the smart contract.
So in essence Tornado Cash acts like a mixer, scrambling the deposits and withdrawals so that they can’t be linked.
The Anonymity Set in Tornado Cash is there to show the deposits that are sitting in the smart contract and awaiting withdrawal. It will also show how many deposits can be accessed when performing a withdrawal.
This also introduces two options for the withdrawal process:
- You can use a wallet like MetaMask, in which case you’ll need a new address that also contains some ETH. The quandary here is how to add ETH to a new address without giving up your privacy.
- You can use the Tornado Cash Relayer together with a new Ethereum address to maintain complete privacy and anonymity.
Tornado Cash Relayers
The Relayer allows you to withdraw to any address, even those with no ETH. By using a new address to withdraw it means there is no way to link the withdrawal to any specific deposit. So there is no longer a trail to follow leading back to any addresses that might be linked to you. Plus the developers have no control over the Relayer so they are unable to make any alteration to the withdrawal data.
On-Chain Versus Network Anonymity
Users of Tornado Cash need to remain aware that the tool is only a solution to on-chain privacy. That’s a great start to privacy, but users still need to follow the best network level practices if they want to keep their data completely private.
Even when using the Relayer it is necessary to use a VPN, a proxy, or Tor to hide your IP address. It can also be useful to enable Incognito Tab features on your browser. Also be sure to clear all your cookies that may be stored by any dApps you’ve used. This is done to prevent the dApp from using the cookies to make an association between your old address and the new address.
Getting Started with Tornado Cash
When you’re planning on getting started with Tornado Cash there are a few steps to take to ensure the greatest privacy and anonymity. You’ll want to start with a new browser, a new wallet, and a new IP address to get a fresh start. This is all necessary because your internet service provider, and other online entities, will have access to your IP address on each hop between your browser and the target server. This makes all the information passed along this route public.
Your ISP is capable of logging not only your IP address, but also the timestamp of all the packets of data sent to a Relayer. That information is theoretically enough for them to build a connection between your wallet and the timestamps of the withdrawals from Tornado Cash. That’s why it is important to use a VPN to obfuscate your IP address, especially when making any withdrawals.
In addition, any remote procedure calls made with your wallet could also link it to any withdrawal requests. Of course most of these things aren’t going to be relevant for the average users, but they are necessary for complete anonymity. We know that convenience is often the most important consideration, and that most RPC nodes and dApps, while able to track your transactions, won’t actually be logging this data. But if complete privacy and anonymity are a concern then these steps will ensure that your transactions do remain private.
Additional Tornado Cash Privacy Tips
Getting back to the on-chain privacy afforded by Tornado Cash, it is also important that you wait before withdrawing any of your funds that were deposited. Tornado Cash recommends a minimum of 24 hours. This is because the longer you wait, the more deposits will be made to Tornado Cash in the meantime, and the harder it becomes to link your deposit with the eventual withdrawal. The further apart these transactions are, the more difficult it becomes to connect them.
For example, when a withdrawal follows closely behind a deposit, especially if it is for the same amount, the two are likely to be from the same address. This is even more true if there are a batch of deposits followed closely by a batch of withdrawals. You don’t want to make it easier for any potential observer to make such a connection.
That’s why it is best to wait for some time after your deposit before you make a withdrawal. And the longer you wait the better your privacy.
Try Multiple Withdrawals
One of the best methods for creating anonymity and privacy is by using multiple withdrawals. But don’t simply make them all at once. Instead spread them out over time, and to multiple unlinked addresses. And it’s even better if you make them for different random amounts as well.
Another method to use when making multiple withdrawals is to do them outside the normal business hours in your timezone.
Finally, never tweet about anonymous transactions or broadcast them in other ways. This seriously jeopardizes your anonymity. Don’t give third-party observers anything to work with that could help them in making connections between your addresses and any transactions.
How to Use Tornado Cash
As mentioned above, when deposit to Tornado Cash you will receive a “secret”. Keep this safe because you will need it later to withdraw the tokens. If you lose the secret there is no way for you to retrieve your funds.
- We went over the requirements above to generate a new wallet, a new browser, and a new IP address. Do this first.
- Decide which token you will deposit. You can deposit ETH or another ERC-20 token. Decide the amount and click ‘Deposit’ then confirm the transaction.
- Wait some time (a minimum of 24 hours is recommended).
- Withdraw either using MetaMask or Relayer.
- If MetaMask you’ll enter the “secret” and click the ‘Settings’ icon. Choose MetaMask as the wallet option and click ‘Save’. Enter your MetaMask address and click ‘Withdraw’. Then sign the transaction and wait for it to process.
- If Relayer you only need to enter the “secret” and your address and then click ‘Withdraw’.
Tornado Cash Decentralization
Tornado Cash has been fully decentralized and community owned since May 2020 when a Trusted Setup Ceremony transferred ownership of the protocol from the founders to the community. All of the smart contracts are open source, and there is no data collection within the protocol. Now that it is decentralized and running no one is able to alter it, or to shut it down. Ever.
In addition, there is no single deployer that has any control over governance, the smart contracts, or the token distribution. The smart contracts being used are immutable, and the zk-SNARK proofs are based on strong cryptography to keep the protocol secure.
The code has been audited several times, and the only way to link a deposit with a withdrawal is by possessing a valid secret. The firms that conducted Tornado Cash smart contract security audits were ABDK, Pessimistic, and Zeropool.network.
The Tornado Cash Team
Tornado Cash was created with a driving principle of people deserving privacy as a basic human right. The founders believe that the more people who adopt this as their philosophy, the more secure life will become for each and every one of us.
Roman Storm has a degree in Metallurgical Engineering, but has been working primarily as a software developer since 2011. He previously worked for Amazon, and was a blockchain engineer for Blockchainlabs.nz, employed in building ICO contracts, writing ERC-20 tokens, and audits of solidity code. At PepperSec he worked with a number of DeFi projects, including AAVE, 0x, 1inch.exchange, dydx, Compound, and makerdao.
Roman Semenov is a specialist in quantum statistics and field theory, as well as a serial entrepreneur. Prior to co-founding PepperSec and Tornado Cash he was also the co-founder of Viking Studio, a Russian social media marketing firm, and RedHelper, a service specializing in boosting ecommerce conversions.
The Tornado Cash protocol rewards any user who chooses to add to the Anonymity set with TORN, the governance token of the protocol. The team refers to this as Anonymity Mining.
The team realized that they weren’t able to use the typical liquidity mining setup like traditional DeFi, because users would inevitably reveal how long they kept deposits in the pool. This would destroy the privacy that’s at the core of Tornado Cash. Anonymity Mining fixes this by providing users with a shielded liquidity mining system where they can receive TORN tokens.
Anonymity Mining works like this; depositing into Tornado Cash leads to the generation of private Anonymity Points. These points are sent to a shielded account that provides privacy protection of the deposit information, balance, and wallet address. Once enough Anonymity Points have been collected the user is able to convert them into TORN tokens in a shielded claiming transaction.
The TORN Token
Any time you use Tornado Cash you are also mining TORN tokens through the Anonymity Mining process. That means the more you use Tornado Cash the more TORN tokens you earn. And the more TORN tokens you hold, the greater impact you can make on future decisions that affect the platform.
TORN is an ERC-20 token with a fixed supply of 10 million tokens. It is meant strictly as a governance token for making protocol proposals and for voting on the outcome of those proposals. It was not released for fund raising purposes, and isn’t meant as an investment or speculative opportunity.
The distribution of the tokens is as follows:
- 5% (500,000 TORN) go to early adopters via an airdrop.
- 10% (1,000,000 TORN) for Anonymity Mining.
- 55% (5,500,000 TORN) go to the treasury and are unlocked linearly over five years.
- 30% (3,000,000 TORN) are for founding developers and early supporters.
Despite the team emphasizing that TORN tokens are not meant for speculation the price soared after the token was released, hitting an all-time high of $437.41 on February 13, 2021. Since then the price has fallen back to Earth, losing some 90% to trade at $42.85 as of June 25, 2021.
Of course that could mean the token is now trading at a healthy discount to its potential future value. Or the drop could serve as a warning to avoid unnecessary speculation.
One of the key philosophies of the early cypherpunks was that f privacy. Tornado Cash helps to restore that to some extent, allowing individuals to retain their privacy, anonymity, and ultimately their freedom over interference from governments and other third-parties. Whether that eventually causes issues with regulators remains to be seen, but if we go by the example set by Zcash and Monero there are certainly ways for privacy-centric projects to work together with regulators.
Having privacy and anonymity also helps to protect users from criminal elements who are always searching for vulnerabilities to exploit in cryptocurrency whales. Without privacy and anonymity anyone is open to hackers, ransom demands, or even a physical invasion of criminals looking to steal cold storage wallets or passwords.
We can be thankful that Tornado Cash exists to help preserve privacy. At the same time, until the service gains more traction the anonymity it provides can sometimes be less than ideal. The service relies on a large number of incoming transactions for its Anonymity Set to work properly. Fortunately usage has been growing, and as of June 2021 Tornado Cash has processed over 65,000 deposits and more than 1.5 million ETH. That’s a good sign for the future growth of the project.
Update: Removed references to PepperSec in connection with Tornado Cash
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.